I have just purchased my first web server and it should be up and running in 1-2 weeks. I am fluent with windows 2000, which it will be running, but I am sure there are many things I will have to learn.

If you could only give 3 tips for IIS what would they be. Such as security, configuring, optimizing, etc.

1. Make sure you read up on how to secure W2K.
2. Keep all service packs and hotfixes up to date.
3. Do not leave Anonymous FTP open

<semi_serious>
Switch to *NIX :stickout:
</semi_serious>

But yeah, as the previous poster said -- read up as much as you can about Win2k security, apply all the fixes, etc.

Heres some more...

1. Only run services you absolutely need.
2. Install a good firewall.
3. Double check the configuration.
4. Keep a close eye on it!

Here's some goodies:

Microsoft Baseline Security Analyzer (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/Tools/mbsahome.asp):
will check your system for vulnerabilities, missing hotfixes and service packs, and make nice reports of it's finds and how to fix.

IIS Lockdown Tool (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/locktool.asp):
IIS Lockdown Wizard works by turning off unnecessary features thereby reducing attack surface available to attackers.

Urlscan Security Tool (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/urlscan.asp):
Think it's integrated now in the IIS Lockdown Tool, but it works by checking the url people entered and block some parts of it (like weird calls to cmd.exe, for example)

1 install apache
2 install freebsd or atleast redhat
i dont mean to make myself out to look like an ******* or anything but after some time you will understand exactlly what i mean i hanged out at this one website that runs iis and windows2k and they have been rooted and defaced atleast 5 times anything microsoft isnt worth the trouble especally as an webserver seems like everytime you patch up an vulnerabilty in it another one pops up IMHO microsoft isnt worth the time or the headaches but gl with your newserver :) take care

1 install apache
2 install freebsd or atleast redhat


He might want to do that in reverse order. Also it sounds like that site you hang out at doesn't keep their security updated too well.

i dont mean to make myself out to look like an ******* or anything but after some time you will understand exactlly what i mean i hanged out at this one website that runs iis and windows2k and they have been rooted and defaced atleast 5 times anything microsoft isnt worth the trouble especally as an webserver seems like everytime you patch up an vulnerabilty in it another one pops up IMHO microsoft isnt worth the time or the headaches but gl with your newserver take careFreeBSD is not better, security wise, over W2K. If you don't know how to admin FreeBSD, what does it matter.

One OS is not more secure than the other, it's all in the admin.

Very Well Put.
IIS's weaknesses are from External Attackers
Apaches Weaknesses are from Inside.

Setting up IIS is simple compared to seting up Apache on Linux

Securing IIS is a breeze compared to securing Apache on Linux.

Spent 3 weeks trying to configure Apache/PHP/Perl/etc so that Perl is run as a suexec wrapper and so PHP cant pull up directory listings. Finally now 3 weeks later I have it installed to the point where it works semi - just have to figure out why even though Perl is isntalled and chmoded properly it wont run

And then figure out why httpd restart wont reload my httpd and redo the Virtual Servers (Deleting/Adding any new or old ones)

We Did an Audit on how much it would cost to hire somebdoy professionaly to setup the Linux Box. and document everything down. Nobody was found but it was estimaed in the 1 to 3 grand. We Looked at the time. And figured that if we really wanted to we could delpoy .NET Advaned Servers W2K Servers Cheaper and quicker.

So The System is only as secure as the Administrator and Honestly is only as easy as you are familiar with everything and are made aware of the Security breaches that actauly exist and are made aware or can find information as on how to Patchit.

As for those 3 Tools. They Are Very Excellent. The only other thing I recommend using over that would be a custom built ISAPI filter

1, Sign up to the updates mailing list and patch everything immediately

2, disable all 'default' accounts - web site / ftp site etc.

3, move your web root OFF of the C:\ drive

Security wise a windows 2000 server that's kept up to date with patches, has all non-essential services stopped and is admined by someone that knows what they're doing is as secure as any other OS.

My background is windows admin and I just invested in my first Linux box and to be honest there seems to be MORE holes to patch on the Linux box than there ever were on the windows ones.

FreeBSD can't comment on as I have no experience of it.

Well, while we're at it, rename the Administrator account, or make a new Administrator account and change the original Admin account to something without any privileges. This is something insanely simple, but it cannot be done on Linux, or at least not that I know off.

As for the Linux-Microsoft discussion, I manage both a W2K server and a Linux server. Whenever there's a patch for MS, usually all I need to do is download and install a single patch.
Ok, and maybe reboot the whole server.
When there's a patch for Linux, often enough I need to recompile a whole bunch of other stuff as well. That vulnerability thing in zlib, for example, was great fun :rolleyes:
Ok, and then maybe just restart Apache or something.

Guess it doesn't really matter what you run, just as long as you are the one MANAGING it, as opposed to install something and then never look at it again. My guess is that most of the MS bashing is really geared towards all those home users running Personal Web Services and such (sometimes without even knowing it) without the necessary knowledge and experience. Does anyone really think Code Red, to name one thing, would have been so succesfull if there were no home pc's involved?
Then again, you would be surprised to see how many "professionals" fail to stay up to date, and that's something that applies to all platforms.

Pingu. It depends on how fast the fix comes about. In linux world usually it is faster. But anyway, as long as you know your stuff about windows security, you should be fine.

Code Red ran Rampant because it was allowed to. Partly because of User Error but mainly because Administrators allowed themselves to be infected. Not to Get Policital But the Nimda and Code Red were all ammo to be used on WTC had everything gone through. Because nothing fellt through when WTC went through they were allowed to die

Thats my 5 cents worth on that.

Once again it all depends on how experienced the Admin is. and how well you know the OS. Things linke changing the name of the administrator, controlling number of "failed login attempts"
Running the 3 tools afore mentioned and running a firewall.

I am new to w2k server hosting too. I had my first attack to my IIS. (horrific:angry:) Thanks to Mike@RackMy for tips, I have not had an issue yet. (Knock on wood)

Anyway, I thought this Security Operations Guide may help you to lock down your server for W2K.

http://www.petri.co.il/read_about_w2k_security.htm

It is a free guide 196 pages you can download in .PDF format or you can read it online.

Best of Luck!

not sure about 3 tips, but

Try to use secure passwords ( upper/lower case ascii ect.)

Pay attention to the Warning's that Win2k gives. They are generally for a good reason.

Sonic Blue

Following scenario is one of my problems with w2k.

Lets say an expolit shows up on SecurityFoicus bugtraq list. Exploit delets all files on drive.

Exploit author does not like MS and decided never to notify them about this but now 1000s of script kiddies know about it.

You can not afford for site to go down.

What do you do ??


If this happend in open source enviroment you would have at least 2 choices.

1. Have a cup of coffee and keep reloading the buqtraq page, by the time the patch show up there.

2. take a good look at exploit and make patch yourself.

Exploit author does not like MS and decided never to notify them about this but now 1000s of script kiddies know about it. You can protect yourself from about all of Microsoft's security holes without ever using MS's hotfixes or patches.

Interesting number, 99.5% of the hacks to OS in our Datacenter are on Linux machine. Not MS.

Originally posted by RackMy.com
You can protect yourself from about all of Microsoft's security holes without ever using MS's hotfixes or patches.
How ??

By being a good admin and running a tight ship! Firewalls also help.

If you like, post some of the "bugs" and I will show you how you can protect yourself w/o MS :)

There I just went to ms bulletins page and randomly clicked. It is msql problem rated as critical. PLease do not sugest to disable remote access or turn the service off. The goal should not be decreasing functionallity or refusing service. Might be better examples there.

http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-056.asp

Only thing I am saying here is that ones knowledge and control of the product is limited in the close source propriatary software evnviroment. This means that sooner or later you have no choice but to return to the vendor and accept whatever deal they feel like oiffering at that time. Good exaple of this is recent Microsoft push of two EULA changes with security update.

While I run *nix on 90% of my servers, ignore the crap about IIS. We ran a popular site for years on NT4 IIS4 for years, never a hack. A little quiz - while we ran MS DNS for 5 years and never once update due to a hack - how many patches came out for BIND? *cough* yeah unix is inherently better.

My three suggestions in order of importance:

Keep updated with patches.

Keep updated with patches.

Keep updated with patches.

Chet

Yeah there are tons of IIS lock down papers floating around as for unicode and other IIS strings I coded quite a large scanner a while back that tests for all that grab it at Packet Storm.

http://packetstormsecurity.org/UNIX/cgi-scanners/IISscan2002.pl


Regards

1. Install pcAnywhere in addition to using Windows Terminal Services for remote administration. Most folks ignore this step, but WTS has a nasty habit not letting you attach if you have two sessions open effectively keeping you out of the box. (Normally, you set WTS to NOT close a session if the remote client dies and will usually reconnect, but sometimes it won't. You don't want to close the session on disconnect in case you are in the middle of something - you want it to keep running.)

With pcAnywhere loaded, you can remote-in with one tool and reset the other. Create an icon for WTS Manager on your desktop and learn how to force a reset of a session if you need to from pca.

2. Memory, memory, and more memory. If you have to choose, pick a slower cpu but more memory. A Pentium III with 1 gig of DRAM will run much better than a Pentium IV or Xeon with only 256MB or 512MB. Don't be cheap -- use ECC DRAM, avoid no parity or simple parity chips. With boatloads of memory, a parity error is your enemy. ECC double-bit detection can mean the difference between a reliable system and one that flakes out. Watch your virtual memory settings - especially if you add memory after your os install the virtual memory settings will have defaulted based on a smaller amount of real memory and you should manually reset them. Rule of them is virtual should be twice the size of real memory.

3. Learn your way around the MS KB website. There is a wealth of info there and many white papers, guidelines, checklists and tutorials in addition to simply bug fixes and specific how-to info. Try searching MS site via Google - strange, yes, but it works well. Knowing how to find crucial info now, rather than when you are under the gun, will save you time and effort when you are in a hurry to track down a problem or issue as quickly as possible.

1. Install pcAnywhere in addition to using Windows Terminal Services for remote administration. Most folks ignore this step, but WTS has a nasty habit not letting you attach if you have two sessions open effectively keeping you out of the box. (Normally, you set WTS to NOT close a session if the remote client dies and will usually reconnect, but sometimes it won't. You don't want to close the session on disconnect in case you are in the middle of something - you want it to keep running.)

That's a good point, but it really easy to set it up that if your session get's disconnected to log off the user after a set amount of time (15 mins). That way you have a chance to reconnect to gain control of your session or if not it will free up that session. We have been doing this on all our servers and it works really well for all our customers.

2. Memory, memory, and more memory. If you have to choose, pick a slower cpu but more memory. A Pentium III with 1 gig of DRAM will run much better than a Pentium IV or Xeon with only 256MB or 512MB. Really, I have experienced that exact opposite. If you have good code, tons of memory is not needed. Our average memory in our servers is about 384 MB. Now that all changes if you have a session intensive app or leaky code.

Don't get me wrong, memory is very important but I think processors can make a hugh difference.

There I just went to ms bulletins page and randomly clicked. It is msql problem rated as critical. PLease do not sugest to disable remote access or turn the service off. The goal should not be decreasing functionallity or refusing service. Might be better examples there. I just checked the link you sent, but it's a Cumulative Patch for SQL Server. Give me a individual hotfix as it would take me 1 day to look at all the hotfixes in that update :)

Just wanna add that Win's own IPSec is *great* for locking down a box, if you only need it for traditional server functions, ie Web, ftp, smtp, sql etc.

If you need a lot of different ports open on different IP's or change them frequently, it can be pretty time consuming to keep up, but otherwise, ipsec is very effective to keep the bad guys out.

Originally posted by spiv
1. Install pcAnywhere in addition to using Windows Terminal Services for remote administration. Most folks ignore this step, but WTS has a nasty habit not letting you attach if you have two sessions open effectively keeping you out of the box.

Last I checked pcAnywhere sent everything in clear text (no problem over a phone line, big problem over the WAN). Use Remotely Anywhere instead, RA allows you to use SSL to encrypt sessions.

Originally posted by uuallan


Last I checked pcAnywhere sent everything in clear text (no problem over a phone line, big problem over the WAN). Use Remotely Anywhere instead, RA allows you to use SSL to encrypt sessions.

Nope, not true. You can encrypt all communication between PCA Host and Client if you wish.

Originally posted by RackMy.com

You can protect yourself from about all of Microsoft's security holes without ever using MS's hotfixes or patches.

Originally posted by sasha

How ??

Yes, Please tell use how.

Yes, I think you can encrypt PCA with mulitple types of encryption. VNC is one that uses clear text.

Originally posted by RackMy.com
Yes, I think you can encrypt PCA with mulitple types of encryption. VNC is one that uses clear text.

Ahhh...its been too long since I had to administer a Windows server...I'll just keep my mouth shut :D.